selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dominick Grift <dominick.grift@defensec.nl>
To: James Carter <jwcart2@gmail.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH v3] secilc/docs: document expandtypeattribute
Date: Fri, 31 Jul 2020 09:26:11 +0200	[thread overview]
Message-ID: <ypjlh7tom9gs.fsf@defensec.nl> (raw)
In-Reply-To: <CAP+JOzQMM5YpemgPXzAZew+oHiV6fgPuuY5WFSyQb2cEkFLwRA@mail.gmail.com> (James Carter's message of "Thu, 30 Jul 2020 18:22:37 -0400")

James Carter <jwcart2@gmail.com> writes:

> On Thu, Jul 30, 2020 at 9:14 AM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
>>
>> This was added for Androids Treble in 2017.
>>
>> I was unsure whether this belongs in type_statements or in conditional_statements.
>>
>
> I think that it fits best with the type statements as you have it.
>
>> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
>> ---
>> v2: overriden is overridden
>> v3: add link to README.md
>>
>>  secilc/docs/README.md              |  1 +
>>  secilc/docs/cil_type_statements.md | 38 ++++++++++++++++++++++++++++++
>>  2 files changed, 39 insertions(+)
>>
>> diff --git a/secilc/docs/README.md b/secilc/docs/README.md
>> index 3f1838e6..efab2a71 100644
>> --- a/secilc/docs/README.md
>> +++ b/secilc/docs/README.md
>> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language)
>>    * [typealiasactual](cil_type_statements.md#typealiasactual)
>>    * [typeattribute](cil_type_statements.md#typeattribute)
>>    * [typeattributeset](cil_type_statements.md#typeattributeset)
>> +  * [expandtypeattribute](cil_type_statements.md#expandtypeattribute)
>>    * [typebounds](cil_type_statements.md#typebounds)
>>    * [typechange](cil_type_statements.md#typechange)
>>    * [typemember](cil_type_statements.md#typemember)
>> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md
>> index f9dd3a76..f819b3c6 100644
>> --- a/secilc/docs/cil_type_statements.md
>> +++ b/secilc/docs/cil_type_statements.md
>> @@ -213,6 +213,44 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p
>>          )
>>      )
>>
>> +expandtypeattribute
>> +-------------------
>> +
>> +Allows expansion compiler defaults for one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers to be overridden.
>
> The wording confused me at first.
> I think "Overrides the compiler defaults for the expansion of one ...
> identifiers." would be clearer.
>
>> +
>> +**Statement definition:**
>> +
>> +    (expandtypeattribute typeattribute_id true|false)
>> +
>> +**Where:**
>> +
>> +<table>
>> +<colgroup>
>> +<col width="25%" />
>> +<col width="75%" />
>> +</colgroup>
>> +<tbody>
>> +<tr class="odd">
>> +<td align="left"><p><code>expandtypeattribute</code></p></td>
>> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td>
>> +</tr>
>> +<tr class="even">
>> +<td align="left"><p><code>typeattribute_id</code></p></td>
>> +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers.</p></td>
>> +</tr>
>> +<tr class="odd">
>> +<td align="left"><p><code>true | false</code></p></td>
>> +<td align="left"><p>Either true or false.</p></td>
>> +</tr>
>> +</tbody>
>> +</table>
>> +
>> +**Example:**
>> +
>> +This example will use the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute.
>> +
>> +    (expandtypeattribute domain true)
>> +
>
> It would be nice to have another example that shows a list of type
> attributes, so there is an example of that syntax as well.

I was looking into an example but turns out that either i am
misunderstanding this functionality or that it does not work as advertised:

Example:

1. compiler defaults to expand typeattributes with less
than four members
2. override pets and dogs expansion in policy

# cat > mytest.cil <<EOF
(sid mysid)
(sidorder (mysid))

(class myclass (mypermission))
(classorder (unordered myclass))

(type blue)
(type green)
(type red)
(typeattribute colors)
(typeattributeset colors (blue green red))

(type dog)
(type cat)
(type goldfish)
(typeattribute pets)
(typeattributeset pets (dog cat goldfish))

(dontaudit pets colors (myclass (mypermission)))

(expandtypeattribute (colors pets) false)
EOF

# secilc -v -X 4 mytest.cil
# sesearch policy.32 --dontaudit

>
> Thanks for doing this.
> Jim
>
>>  typebounds
>>  ----------
>>
>> --
>> 2.28.0.rc1
>>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

  reply	other threads:[~2020-07-31  7:26 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-30  9:23 [PATCH] secilc/docs: document expandtypeattribute Dominick Grift
2020-07-30 11:45 ` [PATCH v2] " Dominick Grift
2020-07-30 13:11   ` [PATCH v3] " Dominick Grift
2020-07-30 22:22     ` James Carter
2020-07-31  7:26       ` Dominick Grift [this message]
2020-07-31 19:50         ` James Carter
2020-07-31 20:12           ` Dominick Grift
2020-07-31 20:22             ` James Carter
2020-07-31 21:07               ` Dominick Grift
2020-08-02 12:34       ` [PATCH v4] " Dominick Grift
2020-08-03 20:56         ` James Carter
2020-08-04  7:18           ` Dominick Grift
2020-08-04 14:45             ` James Carter
2020-08-04 15:48               ` Dominick Grift
2020-08-04 20:23                 ` James Carter
2020-08-04 20:29                   ` Dominick Grift
2020-08-05 19:23                     ` James Carter
2020-08-05 19:48                       ` [PATCH v5] " Dominick Grift
2020-08-05 20:22                         ` James Carter
2020-08-17 15:57                           ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ypjlh7tom9gs.fsf@defensec.nl \
    --to=dominick.grift@defensec.nl \
    --cc=jwcart2@gmail.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).